felipe-alfaro.org

FreeBSD supports OpenBSD’s powerful firewall PF since version 5.3. The scenario I was pursuing was firewalling one of my FreeBSD machines:

Incoming firewalling

• Only incoming SSH connections from known SSH clients should be accepted.
• Only incoming Syslog traffic from known Syslog clients should be accepted.
• Only incoming ICMP Echo-Reply, ICMP Echo-Request and ICMP Destination-Unreachable datagrams should be accepted. Any other ICMP datagram is potentially dangerous.
• No other incoming traffic should be allowed, but should get logged.

Outgoing firewalling

• Only outgoing DNS queries to known DNS servers should be accepted.
• Only outgoing NTP traffic to know NTP servers should be accepted.
• Only outgoing ICMP Echo-Reply, ICMP Echo-Request and ICMP Destination-Unreachable datagrams should be accepted. Any other ICMP datagram is potentially dangerous.
• No other outgoing traffic should be allowed, but should get logged.

The contents of /etc/pf.conf should look lite this:

scrub in all
pass quick on lo0 all

icmp_types = "{ echorep, unreach, echoreq }"
syslog_sources = "{ 192.168.0.124, 192.168.0.125, 192.168.0.126 }"
ssh_sources = "{ 192.168.0.90, 192.168.0.91 }"
ntp_servers = "{ 192.168.0.125 }"
dns_servers = "{ 192.168.0.124 }"

block in log all
pass in on rl0 inet proto icmp icmp-type $icmp_types keep state
pass in on rl0 proto tcp from $ssh_sources to self \
  port { 22 } flags S/SA keep state
pass in on rl0 proto udp from $syslog_sources to self \
  port { 514 }

block out log all
pass out on rl0 inet proto icmp icmp-type $icmp_types keep state
pass out on rl0 proto udp from self to $dns_servers \
  port { 53 } keep state
pass out on rl0 proto udp from self to $ntp_servers \
  port { 123 } keep state

To enable PF and PF logging support to start automatically during boot, the following lines should be added to /etc/rc.conf:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"